System Requirements

Support

3.5.17

20 September - 43MBThis bugfix release fixes several problems, including an issue with entering the password in the "close account" module and with the automatic indexing of a page. In addition, the list of countries and languages has been updated.

Changelog

Fixed: Handle special character passwords in the "close account" module (see #8455).

3.5.10

20 April - 43MBThis bugfix release fixes several issues, including issues with the search index, the book navigation and the back end user switching. In addition, the handling of IDNA e-mail addresses has been consolidated.

Changelog

Fixed: Always trigger the "isVisibleElement" hook (see #8312).

Fixed: Do not change all sessions when switching users (see #8158).

Fixed: Do not allow to close fieldsets with empty required fields (see #8300).

Fixed: Make the path related properties of the File class binary-safe (see #8295).

Fixed: Always allow to navigate to the current month in the calendar (see #8283).

3.5.5

1 December 2015 - 43MBThis bugfix release fixes several issues, including the wrong tag rendering and the synchronization of the file system when moving or copying files with the source or target folder being excluded from synchronization.

Changelog

Fixed: Fix the domain when forwarding in the page controllers (see #8123).

Fixed: Use the feed URL instead of the base URL for enclosures (see #8116).

3.5.4

9 October 2015 - 43MBThis bugfix release fixes the issue with the event reader only displaying the teaser text and the issue with the home page no longer being marked as active. It also improves working with files which have been excluded from synchronization.

Changelog

Fixed: Do not add the back end language in the meta wizard (see #8056).

Fixed: Do not add excluded files to the DBAFS if they are edited in the file manager.

Fixed: Add the |flatten insert tag flag to handle arrays (see #8021).

Fixed: Check for excluded folders in the back end file popup (see #8003).

3.5.3

10 September 2015 - 43MBThis bugfix release fixes a problem with the model registry, which noticeably affected the performance. It also improves the compatibility with Microsoft Edge and the Google pagespeed module.

3.5.0

(major version)5 June 2015 - 43MB111 tickets and pull requests have been completed during the 4 months of development and the following testing period.

Long Term Support

Contao 3.5 is an LTS version, which is supported at least until November 2016.

It supersedes the current LTS version Contao 3.2, which now enters its 6 months transition phase during which only security related issues will still be fixed.

New Features

PHP 5.4: The minimum PHP version required to run Contao has been raised to PHP 5.4. In this course, all templates have been adjusted to use short open tags ( instead of ), which are available by default as of PHP 5.4.

Image meta data in themes: Theme exports now also contain the image meta data, which includes the name of the image, the image caption and the coordinates of the important part.

Select multiple checkboxes: You can now select multiple checkboxes at once in "edit multiple" mode by holding down the Shift key while clicking.

Database key length: It is now possible to specify the length of a database key.

Initial versions: Contao now also shows initial versions in the "latest changes" section of the back end, which do not yet have an editing history.

Change password: The new front end module "change password" adds a form to the page, which members can use to change their password. Other than in the "personal data" module, the "change password" module will also ask for the old password.

Picture insert tag: Analogous to the {{image}} insert tag, there is now also a {{picture}} insert tag, which allows to insert responsive images.

Compare templates: Thanks to Yanick Witschi, there is now an option to compare customized templates with their original or another template of the same group.

Cache tuning: An additional lookup file now allows to map any request for the empty domain to a cached page, independent of which languages the visitor's browser accepts. In the past, only a limited mapping was possible.

Performance optimization: The performance of Contao when rendering websites with a lot of news or events could be notably improved by selectively tuning the database queries. In addition, lazy loading of the content elements by means of closures could decrease the RAM demand of the listing modules.

Newsletter recipients: It is now possible to move or copy newsletter recipients from one channel into another. At that, the stored double opt-in data will be deleted and the status will be set to "added manually".

Arrow brackets in user input: In Contao 3.5, we have adjusted the user input validation so arrow brackets are only removed if they are part of an HTML tag. A regular usage, e.g. as comparison operator, is now possible.

Improved error handling: The front end error handling has been standardized and now the 404 page is always generated if an event or a news item is not found or if an invalid page number or date is entered. This also applies if a page is called via its numeric ID instead of its alias (e.g. 44.html instead of home.html). Rendering the error page is meant to help avoid duplicate content in this case.

Duplicating multiple items: It is now possible to duplicate multiple items in the back end list view.

Hidden system files: The new release standardizes the handling of hidden system files beginning with a dot (e.g. .htaccess, .git or .svn). These files are now ignored everywhere in Contao.

New hooks: The following hooks were added: compileArticle, postAuthenticate, newsListCountItems, newsListFetchItems, getPageStatusIcon

Updated plugins: The following plugins were updated: Respimage to version 1.3.0, jQuery to version 1.11.2, jQuery UI to version 1.11.4, Mediaelement.js to version 2.16.4, Colorbox to version 1.6.0, HTML5Shiv to version 3.7.2, DropZone to version 3.12.0, ACE-Editor to version 1.1.8

IDE compatibility: The Contao source code has been highly optimized regarding its IDE compatibility, so now it is possible to click almost every class, method or property to directly jump to its declaration.

3.4.4

The vulnerability allows logged in back end users to view files which are outside their file mounts or the document root. It is, however, not possible to edit these files or to view their content. Upgrading is still highly recommended.

Changelog

Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.

3.4.2

23 January 2015 - 43MBThis bugfix release fixes several smaller issues including the wrong LESS import path in the Combiner class and the problem with the missing class_exists() call in the file and page picker.

3.4.0

(major version)26 November 2014 - 43MBHighlights

SVG support: Thanks to Tristan Lins' initiative, Contao 3.4 supports SVG and SVGZ images. The images can not only be resized (thumbnails) but are also editable with the source editor in the file manager.

Responsive images: Martin Auswöger and Yanick Witschi have created the biggest pull request in the history of Contao to support new technologies like the 'picture' element as well as the sizes and the srcset attribute. In combination with the picturefill.js script, you can implement responsive images, which are sent to the client in different sizes depending on the device and resolution. As an additional highlight, the two have enhanced the automatic thumbnail generation so you can now mark any section of an image as "important part" in the file manager. Then, when cropped, the image will be focused on this part. An introduction to responsive images is available on responsiveimages.org.

Style sheet order: The order of the internal and external style sheets is now configurable in the page layout, so the internal style sheets can be injected after the external ones if needed. In addition, there is now an option to export internal style sheets.

Asynchronous JavaScript: Analogous to the |static flag, which allows to include JavaScripts and style sheets statically, an |async flag has been added in Contao 3.4, which allows to load JavaScript files asynchronously using the async attribute.

Image links in TinyMCE: It is now possible to switch between the page and file picker when needed, so you can not only link pages in TinyMCE but also files.

Active page in the navigation menu: The active page in the navigation menu is now always rendered as a link, if the URL contains query parameters (e.g. when reading a news article). If you e.g. open the page news/james-wilson-returns.html, it is now possible to click the link to the news.html page in the navigation menu.

Theme export with SQL files: It is possible in Contao 3.4 to store SQL files in the templates folder, which is associated with a theme. The SQL files will then be included in the export and the install tool will automatically find them after the theme import.

Timing attack prevention: In PHP 5.5, new functions to create and verify password hashes have been added to prevent timing attacks. We are using these functions in Contao 3.4, together with appropriate fallback routines for PHP 5.4 and 5.3.

Login to comment: If a visitor is not logged in and the "login to comment" option is enabled, the comment form will be hidden. Contao 3.4 will additionally display a "please log in to comment" message.

Skip images without meta data: There is now an option to skip images without meta data in an image gallery. This corresponds to the behavior of Contao 2.

Registration and password mails: The e-mail texts of the member registration and lost password modules now support simple tokens, which means that they can be personalized.

Insert tag link_name: The new insert tag {{link_name}} outputs the name of a page (in contrast to the {{link_title}} tag, which outputs the page title).

DCA flag "doNotTrim": With the "doNotTrim" flag of the DCA, you can suppress the automatic removal of whitespace at the beginning and end of the user input.

Non-negative natural numbers: A new regular expression to validate non-negative natural numbers has been added, which can be used in the DCA as 'rgxp'=>'natural'.

New hooks and callbacks: The following hooks have been added in Contao 3.4: compareThemeFiles, extractThemeFiles, exportTheme, sendNewsletter. The DCA now also triggers an "onundo_callback" when restoring a deleted record.

4.4.0

(major version)26 November 2014 - 43MBHighlights

SVG support: Thanks to Tristan Lins' initiative, Contao 3.4 supports SVG and SVGZ images. The images can not only be resized (thumbnails) but are also editable with the source editor in the file manager.

Responsive images: Martin Auswöger and Yanick Witschi have created the biggest pull request in the history of Contao to support new technologies like the 'picture' element as well as the sizes and the srcset attribute. In combination with the picturefill.js script, you can implement responsive images, which are sent to the client in different sizes depending on the device and resolution. As an additional highlight, the two have enhanced the automatic thumbnail generation so you can now mark any section of an image as "important part" in the file manager. Then, when cropped, the image will be focused on this part. An introduction to responsive images is available on responsiveimages.org.

Style sheet order: The order of the internal and external style sheets is now configurable in the page layout, so the internal style sheets can be injected after the external ones if needed. In addition, there is now an option to export internal style sheets.

Asynchronous JavaScript: Analogous to the |static flag, which allows to include JavaScripts and style sheets statically, an |async flag has been added in Contao 3.4, which allows to load JavaScript files asynchronously using the async attribute.

Image links in TinyMCE: It is now possible to switch between the page and file picker when needed, so you can not only link pages in TinyMCE but also files.

Active page in the navigation menu: The active page in the navigation menu is now always rendered as a link, if the URL contains query parameters (e.g. when reading a news article). If you e.g. open the page news/james-wilson-returns.html, it is now possible to click the link to the news.html page in the navigation menu.

Theme export with SQL files: It is possible in Contao 3.4 to store SQL files in the templates folder, which is associated with a theme. The SQL files will then be included in the export and the install tool will automatically find them after the theme import.

Timing attack prevention: In PHP 5.5, new functions to create and verify password hashes have been added to prevent timing attacks. We are using these functions in Contao 3.4, together with appropriate fallback routines for PHP 5.4 and 5.3.

Login to comment: If a visitor is not logged in and the "login to comment" option is enabled, the comment form will be hidden. Contao 3.4 will additionally display a "please log in to comment" message.

Skip images without meta data: There is now an option to skip images without meta data in an image gallery. This corresponds to the behavior of Contao 2.

Registration and password mails: The e-mail texts of the member registration and lost password modules now support simple tokens, which means that they can be personalized.

Insert tag link_name: The new insert tag {{link_name}} outputs the name of a page (in contrast to the {{link_title}} tag, which outputs the page title).

DCA flag "doNotTrim": With the "doNotTrim" flag of the DCA, you can suppress the automatic removal of whitespace at the beginning and end of the user input.

Non-negative natural numbers: A new regular expression to validate non-negative natural numbers has been added, which can be used in the DCA as 'rgxp'=>'natural'.

New hooks and callbacks: The following hooks have been added in Contao 3.4: compareThemeFiles, extractThemeFiles, exportTheme, sendNewsletter. The DCA now also triggers an "onundo_callback" when restoring a deleted record.

3.3.6

3 November 2014 - 43MBThis release fixes the incomplete output of the submit button markup as well as the handling of insert tags in page names and titles. In addition, several JavaScript plugins have been updated.

3.2.19

The vulnerability allows logged in back end users to view files which are outside their file mounts or the document root. It is, however, not possible to edit these files or to view their content. Upgrading is still highly recommended.

Changelog

Fixed a directory traversal vulnerability discovered by Arnaud Buchoux. See CVE-2015-0269 for more information.

3.2.15

3 November 2014 - 50MBThis release release fixes several issues, including a problem with the HTTPS URL generation and the display of the filter menus for tables with dynamic parent table. In addition, several JavaScript plugins have been updated.

3.2.12

2 July 2014 - 50MBThis bugfix release restores the PHP 5.3 compatibility of the listing module, fixes an issue with exporting binary data in the themes module and corrects the cursor display in the ACE editor.

Bugs Fixed:

Fixed: Replace insert tags in external redirect targets (see #6765).

Fixed: Also apply the font settings to the ACE element (see #7103).

Fixed: Show the placeholder image in the "edit file" dialog if the original image exceeds the maximum dimensions supported by the GD library (see #7032).

3.2.10

21 May 2014 - 43MBThis bugfix release fixes issues with file names containing special characters and improves the file synchronization and the handling of binary fields during theme import. Also, the following plugins have been updates: Swipe, ACE, Datepicker, MooTools

3.2.8

12 March 2014 - 43MBThis bugfix release fixes several minor problems, e.g. the broken "continuous" support of the content element slider or the sorting of the elements of the page/filetree widget in "edit multiple" mode.

3.2.6

(security release)13 February 2014 - 43MBThis bugfix release fixes another security hole related to the PHP object injection vulnerability, which was still exploitable in the Contao back end in version 3.2.5.

Bugs Fixed:

Further harden the deserialize() function and the Input class (see #6724).

3.2.5

(security release)3 February 2014 - 43MBThis bugfix release fixes a potential PHP object injection vulnerability (thanks to Pedro Ribeiro). The vulnerability exists, because POST data is passed to the deserialize() function, which was the case in the core multiple times. However, we were not able to exploit the vulnerability if the POST data was accessed via the Contao Input class. This does not mean that it cannot be accomplished though.

3.2.3

(major version)20 December 2013 - 43MB140 tickets and pull requests have been completed during the 4 months of development and the following 2 months of testing.Read more: http://contao.org/en/news/contao-3_2_0.html

3.1.5

8 November 2013 - 43MBThis bugfix release fixes an issue with the PDF export and with duplicating members.

Changelog:

Fixed: Correctly handle shorthand byte values (see #6345).

Fixed: Also update the sitemap if a news/event feed is updated (see #5727).

Fixed: Correctly sort by date in the listing module (see #5609).

Fixed: Correctly handle the autologin key if a member is duplicated (see #5945).

3.1.3

28 September 2013 - 43MBThe bugfix release fixes a potential data inconsistency issue when using models, which can be caused by the result cache.

The result cache has been removed entirely to fix the issue, which renders the methods executeUncached() and executeCached() deprecated. They only remain available as alias for the execute() method for reasons of backwards compatibility.

3.1.2

28 August 2013 - 43MBThis bugfix release fixes issues with the output of IDNA domain names as well as two issues with the back end user interface (referer management and file picker). Also, the HTML5 form types "date", "time" and "datetime" are no longer used.

3.1.1

(addendum 1)1 August 2013 - 43MBApplications:

Install: Fixed the "Content" option to install correctly on newer versions of PHP. Blank installs and older versions of PHP were not affected.

3.1.1

25 June 2013 - 43MBThis bugfix release fixes several plugin issues, including the missing slider support in IE8, the wrong generation of the CSS3PIE file path and the wrong assignment of the dollar function to jQuery instead of MooTools.

3.1.0

(major version)21 May 2013 - 43MBAccording to the new time-based release schedule, the first minor update of Contao 3 has been published today. 217 tickets and pull requests have been completed during the four months development phase and the following two months testing phase.

There is one thing which you have to change manually: if your website uses sortable tables, you have to add the moo_tablesort or j_tablesort template in the page layout, so the JavaScript sorting continues to work.Read more: https://contao.org/en/changelog/versions/3.1.html

3.0.6

21 March 2013 - 43MBThis bugfix release fixes several issues, including the users' page and file mounts not being set correctly and the members' home directories not being created upon registration.

The relative path to the website (websitePath) is now stored separately in the system/config/pathconfig.php file instead of the local configuration file for technical reasons.

The local configuration file is now loaded twice again, before and after the module configuration files are loaded. This corresponds to the Contao 2.11 behaviour.

Fixed: Do not add links to news, events, FAQs or newsletters to the sitemap if the target page has not been published (see #5520).

Fixed: Include the local configuration file twice, once before and once after the module configuration files are parsed (see #5490). This will make settings like the debug or safe mode work properly.

Fixed: Correctly set the RSS feed self-reference (see #5478).

Fixed: Remove ­ and from RSS and Atom feeds (see #5473).

Fixed: Do not remove the grid column margin on mobile devices (see #5475).

Fixed: Store the relative path to the installation in the pathconfig.php (see #5339).

3.0.5

19 February 2013 - 33MBThis bugfix release fixes the issue with duplicating elements with their child elements, adds the missing .ogg support and improves the stability of the database-assisted file system. Also, all vendor libraries have been updated.

This bugfix release also fixes the issue with the language files not being loaded correctly in 3.0.4.

Uncached model relations

Analogous to the option to load models uncached, you can now load model relations uncached, too.

3.0.3

8 January 2013 - 33MBThis bugfix release includes a fix for the issue with the inadvertently duplicated content elements and improved the compatibility of the database-assisted file system. This bugfix release also fixes the install routine which did not work on fresh installations in Contao 3.0.2.

Database-assisted file system

Image galleries and download elements can now use the user's home directory as source again

Newsletter attachments are sent correctly again

The database is updated if a file is uploaded in a front end form

Content element visibility

Modules and forms included via content element now consider the visibility settings of the content element. Before version 3.0.2, those resources were always visible.

Enclosure download

If a page contains multiple elements with enclosures, these enclosures could not be downloaded under certain circumstances. This issue has been fixed in Contao 3.0.2.

3.0.1

29 November 2012 - 33MBThis bugfix release fixed a couple of issues, including that page alias names could not contain Unicode characters anymore.

Also, with version 3.0.1 we have removed the automatic copyright notice in the front end according to the announcement of November 8th, 2012 and replaced it with a meta generator tag.Read more: https://contao.org/en/news/contao-3_0_1.html

3.0.0

(major version)31 October 2012 - 33MB

2.11.13

19 November 2013 - 32MBThis bugfix release fixes the issue with extensions not being sorted correctly on some file systems.